Posted
by
CmdrTaco
on Monday November 15, 2010 @12:19PM
from the i-use-magnum-xl-av dept.

jhernik writes "Fearing their computers may be prone to viruses, many web-users download fake anti-virus software, only to find later that their bank details have been hacked. According to the latest research by GetSafeOnline.org, the UK's national internet security initiative, a rising nunber of organised criminal gangs are tricking security-conscious intenet-users into purchasing anti-virus software to access their bank details. Posing as legitimate IT helpdesks, these fraudsters target internet users concerned about protecting their computers. By offering free virus checks, they normally tell consumers that their machines are infected and offer fake security software protection – usually costing around £30 – which is actually malicious software in disguise." The fact that there is such a thriving market for fake AV scams really says something about the present state of the legitimate AV market.

Yeah, it's not exactly news. For a couple of years I've been seeing pop-ups which try to mimic the XP "My Computer" Explorer window, warning of hundreds of viruses on each of the user's drives. Of course the whole thing is bogus but soon I find myself removing "AntiVirus XP 2011" or some crap like that from the computers of people who fell for it.

But, it is always funny if not a little confusing to see those popups while using Win7 or a non-Windows OS.

Just because users are often naive doesn't mean it's not news with there's a new wave of a specific type of malware, which allows Slashdot's technical readers to discuss Windows security, how to better educate users, the current state of the antivirus market, and so on. Lighten up a little, sheesh.

Yes, because it's impossible to educate yourself on any of this stuff. What we need is some kind of global information resource available to pretty much anyone, pretty much anywhere, that people could use to educate themselves. Seriously, you can't blame users for starting from a point of ignorance, but when they choose to remain in a state of ignorance then they're hardly blameless. People manage to learn how to drive largely without everyone killing themselves or each other the first time they get in a ca

Yes, because it's impossible to educate yourself on any of this stuff. What we need is some kind of global information resource available to pretty much anyone, pretty much anywhere, that people could use to educate themselves.

What we need is some kind of global information resource available to pretty much anyone, pretty much anywhere, that people could use to educate themselves.

This could work. Maybe some sort of interconnected network of computers...

But seriously...most people will, given time, learn how to protect themselves on the internet. The problem is that this does take time. Sure, you can tell someone not to click on popups, but then you need to teach them the difference between all the different windows that popup. You've got your windows dialogs, your anti-virus dialogs, popups from a browser and then fake versions of all of the above that might come from a browser or f

The thriving market for fake AV scams simply means people are too cheap to pay full price for a commercial AV scanner, or too stupid to find a legit free one. Computers are appliances to 90% of the world's population, and no other appliance requires expensive upgrades to determine if it's being misused. Even without a car alarm, you'll notice if your car isn't where you parked it, but a most infected computers don't advertise as such. People know they need an AV scanner, and hey, the computer just offered them one, "Score! No need to go shopping for one!" All viruses (that aren't autonomous worms) spread based on misplaced trust or greed, and getting a cheap AV scanner appeals to both instincts.

Or that they are unaware that they already have one, or that they just are too trusting when someone says it's failed. Given that the users are demonstrating a lack of knowledge about reliability about AV software, the latter says more about the user than the installed AV.

Even without a car alarm, you'll notice if your car isn't where you parked it

It won't do you much good, though. This is why an alarm is now standard in most, if not all, new cars. Microsoft seems to be moving in the same direction for Windows, with Security Essentials. I guess antitrust issues stop them from installing it by default, though.

The funny part being that Security Essentials is actually pretty decent for a freely (as in gratis) distributed app. I actually wish MS put just a tiny bit of effort to push it in windows, so that those who are cheap would install it before they fall prey to the Antivirus XP BS.

I'm not talking about irremovably bundling it into the OS, I just mean something as simple as recommending it or even displaying it in a list of other AVs noting price points when the user clicks on the "You have no antivirus, click here to get one installed, numbnuts!" red shield.

You know, something like:

1. Norton: $x/year2. McAfee: $x/year3. AVG: $x/year4. AVG Free: Free!5. Microsoft Security Essentials (Recommended): Free!6. I have my own choice of antivirus that I will install.7. I have my own antivirus

If ads on legitimate sites weren't offering up these kinds of "tools", I'd be more inclined to agree the users that get infected are somehow stupid. I remember having my antivirus going off on a regular basis when browsing completely legit sites because an ad embedded in it was attempting an exploit.

To be fair, it's not exactly easy to find a legit free AV programme. Downloading my poinson of choice, AVG, for example, requires you to navigate through the website, locate the tiny "free version" link on a series of pages, and wind through and around a whole lot of annoying screens designed to baffle/frustrate/bully you into buy a pay version.

And worse, you then have to go through this whole process again every six months when they release a new version that isn't covered by the auto updater.

I've had to clear a few of these off co-workers' machines this year. Running Windows 7 with the latest security patches and legitimate protection software installed, and people still get infected with this crap, so it's the users installing it and not just holes in the system being exploited. The last one I removed actually replaced the Windows shell on startup with itself, disabling web browsers, regedit, and other key system software. I felt like going on a shooting spree.

I don't blame them at all for installing the malware. In the case of the last cleanup I did, a web page apparently displayed a window that was made to resemble a Windows security alert. I think the solution is better computing environments, such as iOS, leaving the technical environment of a desktop PC to technical individuals who require it. Why should someone run Windows if all they do is word processing or web browsing? As Steve Jobs put it, today's PC environment will eventually be like pickup trucks. N

Only when it hits them financially - maybe if banks offered better rates or incentives to people who had passed some kind of basic internet competency exam, we'd see people making the effort to educate themselves (or lots of people falling for fake competency exam scams).

I've suggested that in the past and been accused of being elitist. That's how driver licensing came into being. Having people driving around at a whopping 8mph with no other vehicles on the road didn't really require much in the way of regulation. But now that vehicles have to be able to do at least 30 mph in order to cope with even side streets we now license just about all of them. Bikes and mopeds excluded.

Likewise, I think that requiring people to be able to install anti-malware and update their comp

>so it's the users installing it and not just holes in the system being exploited.

Are you sure about that? The analysis of various crimepack stats posted by Brian Krebs [krebsonsecurity.com] shows that the vector for these infections is usually (in order) Java, Adobe Reader, Flash, and browser exploits. So lets assume you patched these machines using Windows Update. That means you patched any known browser exploits, but the malware writer can still try various Java, Reader, and Flash exploits.

I think the real issue currently is how poorly these app updaters are written. Reader may never ask to do an update unless you manually start it once to install the current version of Adobe Updater. Java, depending on the version, either sits quietly in the tray asking for an update or never bothers. Flash asks at startup sometimes, but it may only update IE, but not Firefox.

For end users who have no clue, which is most of them, these apps should just be set to auto-update without asking. Admins and power users can edit this as needs be. In the meantime, its pretty trivial to infect a machine. Almost no one makes an effort to patch these apps.

I don't believe the problem is PEBCAK as we like to think. Browser plugs are a serious issue. They're just not being updated.

Who is sandboxing? Sure IE by default runs in protected mode, but the plugins I mentioned do not. Suspicious links are meaningless, these exploits do no require visiting some odd link. Most of these hackers take over ad servers and push malware in ads on legitimate sites.

AV sofware is also useless. These guys are compiling multiple versions of their malware per hour. Your AV can't keep up. By the time the AV vendors have a signature its 12-48 hours too late and that build is removed from production.

I recently cleaned this off of a PC for a client of mine, and in their case, the original trojan horse files were found embedded in the compressed Java runtime files. So at least some of this stuff may be coming from "drive by infections" that take advantage of security flaws in older versions of the Sun JRE. Once the trojan is implanted in the JRE, it proceeds to auto download and install this other stuff.

how about some intelligent discussion about either educating the general public or another more intelligent solution?

We did that about 10 years ago when this story was fresh.

We've been doing that for the past 10 years. And we've decided that PEBKAC.

My idea of an intelligent solution is an infectious antivirus - spreads like other viruses do, via email, poisoned URLS, phishing, etc etc - use all the vulnerable vectors you can to spread an antivirus. It goes and tries to remove any viruses it can find and occaisonally calls back to some central server for an updated list on new threats and how to combat them.

Plus patching any known security holes? Interesting idea. I think the trouble is funding/motivation: both virus and antivirus writers usually do it for profit, and it would take time and effort to keep it up to date. Since it would be, at best, dubiously legal, it probably couldn't be sponsored by any company, so it would have to be a guerilla effort. And the people who could write it mostly wouldn't benefit (except perhaps that they'd spend less time cleaning their families computers...).

Besides the null legality of infecting PC's with legit antivirus software for the greater good, there is a secondary problem.Any tech-savvy user with their own AV solution, will most likely see their PC acquire a second set of system-hogging antivirus software. Ever installed two concurrent firewalls on your PC and saw that neither one complained? Yup, don't expect coders to make the right assumptions.

You might instead have chosen to stop using ANY antivirus --then you get mad this virusy antivirus has to k

Any tech-savvy user won't be infected by the antivirus anymore than they'd be infected by a regular virus. That's the beauty of it.

The great thing about it is that even if it annoys you that you keep getting infected by it - you can at least rest knowing that its not trying to steal your information, you're safer battling to get the antivirus off your machine than you would be battling to get a regular virus off your machine.

That's an extremely bad idea. At the end of the day it would end up being exploited by crackers and in the best case it would give people the idea that if they don't secure their computers that somebody will do it for them.

In some parts of the world, they do things like that for lawns. If you don't mow your lawn frequently enough, the local council will have somebody do it for you, then send you a bill for the work. Not saying, I agree with it, but it does work. In meatspace, on the net, there's any numb

I read an argument recently (maybe on Language Log of all places) that this was an example of intelligence being disadvantage. Having a general awareness of the threats represented by viruses is a requisite for vulnerability to the scam, while someone completely ignorant of computer threats wouldn't be susceptible. Sort of the scam-art equivalent of the uncanny valley.

How about just letting MS put security essentials onto your computer as part of regular windows updates? You could even set it up to remove fake antivirus products automatically. And if it accidentally breaks a legitimate one, at least you have MSE on there, which may (or may not) be as good as whatever it removed but it's better than millions of people with fake AV's.

Or how about a walled garden security store in windows? If you want access you have to be approved for the national app store by the gove

You gotta give it to companies like McAffee, Symantec, etc... they know how to scare people into handing over money so they are "protected". It was only a matter of time before people started to copy their methods.

so if a website tells them they can download one for a small fee, they will.

There's a difference between telling someone they can download an anti-virus scanner for a small fee and throwing an ominous looking pop up window saying something along the lines of "YOUR COMPUTER IS ABOUT TO GET INFECTED AND SOMEONE WILL STEAL YOUR BANK DETAILS YOU SHOULD PURCHASE OUR ANTI-VIRUS NOW OR ELSE".

If people know they need anti-virus they must know it's a pretty stupid idea to pay for it on a machine that's currently compromised. I know absolutely nothing about cars, but if someone told me my break line had been cut (even if they were scamming me) I'd know enough not to drive to the garage to get it fixed. If you seriously thought your PC was unprotected and you still went ahead and entered your credit card details, what would you expect to happen? Is it so much hassle to go to the store and get an AV

I recently had to install Windows 7 at home, and decided to put Norton AV on my machine. I boot up on Windows roughly once every couple of weeks to run a specific application. So I notice Norton AV popping up loads of windows, running it's intrusive update process about bombarding me with scary looking crap prompting me to read about the "latest security threats from cyber-criminals". Hair-raising stuff, especially if you're not a computer specialist.

I'm an IT professional, and _I_ find this behaviour sleazy, unethical, annoying and slightly alarming. This is a product I paid GOOD MONEY FOR. I'm PAYING to be bullied, essentially.

So I can just imagine the average user being bullied and terrified by this crap... which is not only enriching the AV vendors, but also making regular folk like lambs to the slaughter for the forces of evil out there.

I'd say that the consumer, criminals and the AV companies are really inhabitants of one ecosystem: prey, parasites and predators respectively.

I know AV is worthless, but it's still better than going naked. I had a legal copy of it lying around, so I went with that. Otherwise, I might've reached for something a bit faster and more reputable, e.g. Sophos, Kaspersky.

However, she is on a Mac, so I *presume* she is safe, except for her credit card number, which she did enter in order to buy the software. I told her to cancel her credit card and she did that and they issued her a new one. It is correct that she has no worries from the downloaded software, right? These things are always Windows-only, right? Just want to make absolutely sure. Or is there some way for them to hack her account given that she provided a credit card, and probably address and such?

Fake AV has been around for a long time. My father fell for one of those "your system is infected" ads 5+ years ago, and I had to spend an afternoon cleaning out the crapware he bought and installed when he clicked through. Fortunately all he was out was the $40 or so for the "product"; we scanned his system with some real AV and anti-malware/spyware products to remove all the junk that piggybacked its way in, and nothing more ever came of it.

My mother kept receiving calls from some company claiming to be IT support and trying to get her to visit a website to update her machine as there records show it being infected. She always says that my son deals with that sort of thing and she will just not switch the computer on until I have checked it. One day they called while I was there so I spoke to them, they always mumbled the name of the company, I asked them for their company registration number as I needed to check they are a legitimate company. They try to get me to visit there website where I can see that they are legitimate, eventually they give me a number which was about 12 digits too long for a company registration number I tell them I can't find anything about them at Companies House and eventually they give.

Nerds of the world, it is time to unite around a new cause. It is time to write, and release, a new virus that relies on a series of incredibly stupid attack vectors - the kinds of attack vectors that only a clueless dipshit would actually fall for. The virus has only one simple payload: it uninstalls all network drivers on the machine.

After several trips to get their machine "repaired," these folks will either wise up, or give up.

The people who really worry me are not the clueless dipshits, but the 50+ crowd who have never really used computers before, and through newly-acquired secondhand knowledge, now know just enough to be dangerous. I think they're probably the ones mostly in danger of falling for these scams. We need to keep our parents and grandparents educated and tell them just because a page shows up first in their Google search doesn't mean it's necessarily what they're looking for.

This is the reason I clicked on the story at all. Just two weeks ago, my mother (59) called in a panic about over 300 viruses that some program found, and was about to click on the "run this executable" popup that IE gave her (my father won't let her run Firefox? Not that FF is likely to have stopped this*) when she thought to call someone. She tried to get a hold of my father, but he wasn't available, so she called me. I told her it was a scam, and to abort immediately. Not knowing really what else to

Firefox can get them. I had a user get hit with this about a month ago. Luckily I had gone over fake anti-virus with them during in-service so they knew what they were looking at. The called me because even if the quit Firefox the next time they ran it the fake av came up again. Clearing the cache and re-setting the home page was the fix.

Now, hah ha, I'm such an awesome user because I use Linux, but seriously, the thing we have to remember is these popups look good. Not "huh, 1997 emailed and said they wanted their msgbox back" but "holy shit Windows is flipping the fuck out!...wait, I'm not running Windows on this box. What the fuck is going on here?" If you haven't seen it, it's an awesome piece of chicanery that uses open / save API to read your files -- I shit you not, even on Ubuntu since it onl

This is I think the whole "browser as an application platform" thing we've had going for the last few years.

I know, I know, we need advances and you web programmer types can do some great things with your languages these days. But it's no longer just a browser at that point, is it? And when it gets to interact with the OS on various levels, and when there are holes (which there always are) bad things happen. The fact that web-apps and their multitude of up-popping windows can and do frequently look the same

"... Compound this with the MacAfee Heel: most OTS boxes come with MacAfee installed at least as a demo...."

You've inadvertently hit the nail on the head. The scam is simple and effective because it exploits human logic. I've noticed most/.'ers think that users are naive, or clueless, or worse, but they're missing the beauty of the scam because they can't think like a non-sophisticated user... they're beyond it and don't have the same mindset anymore.

For your parents, during your next visit, theme firefox to look like IE, move bookmarks over, and then replace the IE icon on the desktop, start menu, etc with new links that all point to firefox. they probably won't be able to tell the difference, and then you can use popup blocker.

IE 8 isn't to bad, if they won't go for the previous suggestion. IE 8 at least has pop blockers. I have to keep IE 8 around at work, as Chrome lacks certain features, and renders some websites unusable.(damn IE only sites)

So, you're going to train everyone, every time a new attack vector/ad/clickbomb comes around?

Rather than tell them not to bank online (Are you fucking kidding me?!?!), try telling them if they want to be secure and not have their bank info stolen/cleaned out, then don't use Windows/IE. Since that is what EVERY scam uses. You can argue that using other platforms will have this eventually, but no others do right now. You can argue that Windows is more secure than others, but no other OSes have this scam. Y

And that's why the iPad is a wonderful device. Good enough to let people get on the Web, do email, instant messaging, some games. But it's not a regular computer where you can install new drivers, etc. The so-called "average users" are the target market.

These people are not the problem, the idea of giving such people full access to a full blown computer connected to a public network and running a fully fledged os designed to make such things trivial is the problem...

You don't let people drive cars, fly aircraft or do various other things unless they have received proper training, and using a computer should be no different. Such users don't need a full blown computer, they need a simplified appliance that is controlled by someone else (who knows what they'

Not looking to cause a flame war but the answer is a Mac. The security on it makes sense and most of this malware just won't run (because its for Windows), and the stuff that could can't run by itself. You actually would have to install it and enter your password for it to work.

As someone who has switched their parents to a mac I can tell you that its much easier to support as well. And they can call apple support and get helped through lots of issues.

The over fifties have lived long enough to have at least some chance of having acquired some wisdom about trust and overconfidence. They also sometimes know a hell of a lot more than you give them credit for and are often willing to listen to reason. More dangerous are the twenty-something know-it-alls who are utterly confident of their own abilities because, after all, they "grew up in the digital age" (that is, they were taught how to misuse Excel in school and have had a cellphone since they were four)

As opposed to the teenage dipshits who are attacked by glittery "plugins" for their MySpace page. Most people are completely clueless about how they get attacked - It's got nothing to do with age at all.

So? Does the fact that the user made a mistake mean that this is not a problem worthy of attention? We need to find ways to make it easier to distinguish spyware that steals your personal information for criminal gangs from the legitimate software that steals your personal information for big businesses.

The problem with that is, all the ways to do this are probably _really_ bad.

I know! How about we designate microsoft, erm I mean some independant authority to decide what software is safe, and have some hardware built into all PC motherboards that verifies a piece of software has been signed before letting it run!

The _real_ problem with the trusted computing solution is that is sounds good.. which creates that deep seated fear that it might one day become a reality:(

Putting everything in the hands of microsoft would be an absolutely terrible idea, but having multiple locked down devices catering to average users would be far better, and then you could still have other providers producing equipment for the geek niche market....

Look at android for a good example, the average consumer buys a locked down phone while people who understand and can take advantage of a rooted android device can either buy handsets lik

You're correct up to this point. Even with a mandatory hardware-based trusted computing platform, there will still be users out there being tricked into entering their banking details into a strange website (or even over the phone).

The walled garden approach (eg apple) works well for average users...Linux distros with trusted repositories are a good idea too, the average user still receives the protection of getting all their software from a known trusted source while advanced users still have the flexibility available.

End users should not have root or equivalent access, they should only be able to install software from trusted sources and should defer to a third party (either someone they know, or a paid service etc) for anything more advanced.

I think my dad fell for something like this. As far as I can ascertain, he searched for Malwarebytes, and whatever page he got to, the most conspicuous "download" link was to the scam product. So really, I can't blame him for being fooled.

The software identified some issues, but said there were more, that it would charge him for removing. Some time later, he received a phone call about it. I don't know how they got his phone number, but we do have an unusual surname.

I completely agree.... However I get these from Symantec, McAfee and other "good" vendors. Not that this discounts your theory about it being a scam, it's just not a flat out 100% scam, only a partial scam.

It also says a lot about the security design of the operating system. Many of the scareware programs mimic Windows security alerts, so users who believe they are being security-minded by going along with the prompts are actually infecting themselves.

I've had three of these now. I'm not sure how I would have reacted if I hadn't already read about this practice on The Register some months ago, but it's interesting nonetheless.

First time I humoured him for a little bit, told him that I wasn't running windows on any of my systems. When he started asking what OSes I was running, I ran off part of a list, then decided that it wasn't really his business anyway, told him so and hung up.

Second guy that tried it asked specifically about my Windows computer. Th